In recent months, Microsoft has observed a significant uptick in cyberattacks targeting critical vulnerabilities within on-premises Exchange and SharePoint servers. These sophisticated attacks have enabled threat actors to gain persistent, privileged access to organizational environments, leading to remote code execution, lateral movement across networks, and the exfiltration of sensitive data.
NTLM Relay Attacks and Credential Theft
A notable trend in these attacks is the exploitation of weaknesses in the NTLM authentication protocol. Cybercriminals are conducting NTLM relay attacks by capturing and relaying stolen credentials to vulnerable servers. This method allows attackers to compromise user accounts, particularly those with elevated privileges, facilitating further malicious activities within the network.
Stealthy Persistence in SharePoint Servers
Attacks on SharePoint servers have become increasingly covert. Threat actors have been observed modifying legitimate files by appending web shell code to existing pages and deploying remote monitoring and management (RMM) tools. These tactics provide persistent, stealthy access that is challenging to detect using traditional security measures.
AMSI Integration as a Defensive Measure
To counter these evolving threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both Exchange and SharePoint servers. AMSI acts as a security filter within the IIS pipeline, inspecting incoming HTTP requests, including request bodies, for malicious content before they reach the application layer. When a threat is detected, AMSI blocks the request in real-time, returning an HTTP 400 Bad Request response and preventing exploitation before official patches can be applied.
Recommendations for Organizations
Microsoft strongly urges organizations running on-premises Exchange or SharePoint servers to:
– Apply the latest security patches and updates without delay.
– Enable AMSI integration and ensure compatible antimalware solutions are active.
– Audit and harden NTLM authentication configurations, enabling Extended Protection for Authentication (EPA) where possible.
– Monitor for suspicious activity, such as abnormal HTTP requests or unauthorized mailbox access.
As attackers continue to innovate, layered defenses and rapid response remain essential to protecting critical business assets from compromise.
